# WRT (Weighted Risk Trend)

Our team decided to adopt best practices and draw inspiration from [HP's ideas](https://owasp.org/www-pdf-archive/Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf), which led us to discover overlaps with the widely used *error budget* practice. We believe that utilizing the WRT metric would be a suitable solution to enhance security operations.

**Weighted Risk Trend** (WRT) is one of a **Key Performance Indicators** (KPIs) and provides **business-level context** to security-generated data.

**WRT metric** is a measure that expresses the state of security in numerical terms, without diving into technical details. The metric is linked to **business criticality**, which is linked to the risks associated with the vulnerabilities that exploit them. WRT can provide business value by helping teams identify and address security risks.

WRT is calculated using the formula:

<figure><img src="https://3069717380-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M81VrXQrfSaYjNIFOtt%2Fuploads%2Fp1ZRHoOEiHA0jRdyW07N%2Fimage.png?alt=media&#x26;token=28a5f76e-3ab2-49b7-95b1-b4834ca9cac4" alt=""><figcaption></figcaption></figure>

* each type of **multiplier** is equal to the corresponding severity weight;
* **defects** is equal to the number of findings of this severity type;
* **business criticality** — an assessment of the importance of the product to the company, ranging from one to ten.